[Declude.JunkMail] X-Declude-Sender missing IP
With the latest beta I am seeing messages where the X-Declude-Sender is missing the IP address, i.e., [0.0.0.0]. Ones I've seen are from my internal network. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 100 Point scale / DNS
First Question: I know this issue has been discussed in the past, but I would like to make sure I understand the discussions: 1. We are contemplating revising the scoring to a 100 point scale 2. I assume that when the conversion is made that initially you select the value for 100 point and then proportionally adjust the scores up. Questions: What weight did you use for the 100 points? Was it the delete weight? Or the hold weight? or something in between the values? Second Question: I am receiving a lot of DNS timeout values, yet when I go the run the IP address through NSLookup, it returns the address immediately. The primary address on the server is a Windows 2003 DNS server, secondary addresses are linux DNS servers. What DNS servers is Declude using when doing a DNS lookup? As I recall, there was a way to specify these values in the global.cfg but I was not able to locate any information on this. Anyone have any recommendations or insight into the problem? Thanks for you help in advance, David
Re: [Declude.JunkMail] 100 Point scale / DNS
David, There is a problem with Win2003 DNS and some firewalls due to packet size or something like that. I forget exactly what the issue is, but there is a modification that should be made to your system if in fact you are getting a lot of time-outs. Hopefully one of those affected will chime in and explain what the issue is and how to fix it. You might also want to visit mail-archive.com and search the IMail archives for "DNS Windows 2003". Declude uses the DNS server specified in IMail. You should only list one in there, and the DNS server should either be installed on the same box or on the same network. Your question about weights is very subjective. Each system is different and you will likely find your own unique mix of weights to make this work. I would start by adjusting by even multiples, and then tweak things one or a few at a time to see what works. This will take time. Note that the only functional reason for upping the scoring is so that you can achieve better granularity with scoring, effectively giving you the precision to score things in tenths of a point with a fail weight of 100 instead of full points on a fail weight of 10. Matt Kornitz, David wrote: First Question: I know this issue has been discussed in the past, but I would like to make sure I understand the discussions: 1. We are contemplating revising the scoring to a 100 point scale 2. I assume that when the conversion is made that initially you select the value for 100 point and then proportionally adjust the scores up. Questions: What weight did you use for the 100 points? Was it the delete weight? Or the hold weight? or something in between the values? Second Question: I am receiving a lot of DNS timeout values, yet when I go the run the IP address through NSLookup, it returns the address immediately. The primary address on the server is a Windows 2003 DNS server, secondary addresses are linux DNS servers. What DNS servers is Declude using when doing a DNS lookup? As I recall, there was a way to specify these values in the global.cfg but I was not able to locate any information on this. Anyone have any recommendations or insight into the problem? Thanks for you help in advance, David -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] 100 Point scale / DNS
If you're happy with the weight settings of your current weighting system (hold on 20 ?) you can simply change to a hold-on-100 system by multipling all wheigts in your cfg file by factor 5 and change your WEIGHT20 test to WEIGHT100 Then save the cfg file and it's done. Beside more granularity it's easier now to calcualte test weights in conjunction with statistical research. HOLD-weight = 100% = 100 pts Mysystem is holding anything above 100 points. The starting theory is that a message should fail at least 4 tests before it can be hold. So one single test shouldn't have more the 33 points. Only very reliable tests should have configured more then 33 points. Tests that are known to have more "false positves" but beside this good results in spam detection should be reduced down to something between 1 and 15 points. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kornitz, DavidSent: Tuesday, September 28, 2004 2:36 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] 100 Point scale / DNS First Question: I know this issue has been discussed in the past, but I would like to make sure I understand the discussions: 1. We are contemplating revising the scoring to a 100 point scale 2. I assume that when the conversion is made that initially you select the value for 100 point and then proportionally adjust the scores up. Questions: What weight did you use for the 100 points? Was it the delete weight? Or the hold weight? or something in between the values? Second Question: I am receiving a lot of DNS timeout values, yet when I go the run the IP address through NSLookup, it returns the address immediately. The primary address on the server is a Windows 2003 DNS server, secondary addresses are linux DNS servers. What DNS servers is Declude using when doing a DNS lookup? As I recall, there was a way to specify these values in the global.cfg but I was not able to locate any information on this. Anyone have any recommendations or insight into the problem? Thanks for you help in advance, David
Re: [Declude.JunkMail] 100 Point scale / DNS
David, I migrated our Declude JunkMail setup to a 100 point system awhile back. With our current setup as it is today we HOLD on 100 and DELETE on 300. When I first migrated over the way that I did it was I set my HOLD weight to 100 and had no DELETE weight and then I assigned arbitrary (with reason) to different tests. Since I didn't have a DELETE weight at all at firstI didn't worry about any messages being deleted and since I was closely monitoring things during this transition anything that was accidentally held I would just release. Before releasing I would adjust my original arbitrary scoring down to make sure that the next time that message, given the tests that it had failed, that it wouldn't be caught again. Most tests I just started out at 100 points each and very quickly in a few days adjusted them down to something more reasonable, usually in the 25 point range. I came up with that I think is a good combination ofgetting messages to squeak in under the 100 HOLD weight(few false positives) and yet leaving the scores high enough to catch a lot of spam. Whenever I add a new test now I add it as a 100 point test and then I adjust my DELETE weight up 100 points so that way I am assured that the addition of the new test will not put anything over the delete level. And then I watch for false positives and adjust the new test down accordingly to again get those messages to squeak in under the HOLD weight. I am investigating making my DJM settings publically available via FTP as Kami does. If you are interested I'll let you see how I am doing it when that's up. Dan - Original Message - From: Kornitz, David To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 8:36 AM Subject: [Declude.JunkMail] 100 Point scale / DNS First Question: I know this issue has been discussed in the past, but I would like to make sure I understand the discussions: 1. We are contemplating revising the scoring to a 100 point scale 2. I assume that when the conversion is made that initially you select the value for 100 point and then proportionally adjust the scores up. Questions: What weight did you use for the 100 points? Was it the delete weight? Or the hold weight? or something in between the values? Second Question: I am receiving a lot of DNS timeout values, yet when I go the run the IP address through NSLookup, it returns the address immediately. The primary address on the server is a Windows 2003 DNS server, secondary addresses are linux DNS servers. What DNS servers is Declude using when doing a DNS lookup? As I recall, there was a way to specify these values in the global.cfg but I was not able to locate any information on this. Anyone have any recommendations or insight into the problem? Thanks for you help in advance, David
[Declude.JunkMail] E-Mail to download v1.8
Hello, Just wanted to know if there's a place to download the latest .cfg files to handle the v1.8 additions. Or even an updated declude manual? Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] E-Mail to download v1.8
Jeff, I was able to get it via my account login at www.declude.com. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Jeff Maze Sent: Tue 9/28/2004 10:33 AM To: [EMAIL PROTECTED] Cc: Subject: [Declude.JunkMail] E-Mail to download v1.8 Hello, Just wanted to know if there's a place to download the latest .cfg files to handle the v1.8 additions. Or even an updated declude manual? Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. winmail.dat
Re: [Declude.JunkMail] E-Mail to download v1.8
On 28 Sep 2004 at 10:33, Jeff Maze wrote: Hi Jeff, Hello, Just wanted to know if there's a place to download the latest .cfg files to handle the v1.8 additions. Or even an updated declude manual? http://www.declude.com/Articles.asp?ID=116 -Nick Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] E-Mail to download v1.8
Really? I don't see it.. I see the manual and automatic downloads for it, and the other links take me other places.. What am I missing? Think it may just be a blonde moment.. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Tuesday, September 28, 2004 9:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] E-Mail to download v1.8 Jeff, I was able to get it via my account login at www.declude.com. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Jeff Maze Sent: Tue 9/28/2004 10:33 AM To: [EMAIL PROTECTED] Cc: Subject: [Declude.JunkMail] E-Mail to download v1.8 Hello, Just wanted to know if there's a place to download the latest .cfg files to handle the v1.8 additions. Or even an updated declude manual? Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. attachment: winmail.dat
RE: [Declude.JunkMail] E-Mail to download v1.8
Keith Where did you find the manual or the cfg files? I can find the download but not the link to the manual. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Tuesday, September 28, 2004 8:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] E-Mail to download v1.8 Jeff, I was able to get it via my account login at www.declude.com. Keith -Original Message- From: [EMAIL PROTECTED] on behalf of Jeff Maze Sent: Tue 9/28/2004 10:33 AM To: [EMAIL PROTECTED] Cc: Subject: [Declude.JunkMail] E-Mail to download v1.8 Hello, Just wanted to know if there's a place to download the latest .cfg files to handle the v1.8 additions. Or even an updated declude manual? Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. attachment: winmail.dat
RE: [Declude.JunkMail] 100 Point scale / DNS
David, Here is the DNS workaround for win2003 servers. Basically win2003 increased the packet size to larger than 512k when performing a DNS query. This is a default setting in win2003. The problem is many firewalls still dont allow packets larger than 512k. Here is a link to a workaround from Microsoft: http://support.microsoft.com/default.aspx?scid=kb;en-us;832223. We have used this very successfully. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, September 28, 2004 5:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] 100 Point scale / DNS David, There is a problem with Win2003 DNS and some firewalls due to packet size or something like that. I forget exactly what the issue is, but there is a modification that should be made to your system if in fact you are getting a lot of time-outs. Hopefully one of those affected will chime in and explain what the issue is and how to fix it. You might also want to visit mail-archive.com and search the IMail archives for DNS Windows 2003. Declude uses the DNS server specified in IMail. You should only list one in there, and the DNS server should either be installed on the same box or on the same network. Your question about weights is very subjective. Each system is different and you will likely find your own unique mix of weights to make this work. I would start by adjusting by even multiples, and then tweak things one or a few at a time to see what works. This will take time. Note that the only functional reason for upping the scoring is so that you can achieve better granularity with scoring, effectively giving you the precision to score things in tenths of a point with a fail weight of 100 instead of full points on a fail weight of 10. Matt Kornitz, David wrote: First Question: I know this issue has been discussed in the past, but I would like to make sure I understand the discussions: We are contemplating revising the scoring to a 100 point scale I assume that when the conversion is made that initially you select the value for 100 point and then proportionally adjust the scores up. Questions: What weight did you use for the 100 points? Was it the delete weight? Or the hold weight? or something in between the values? Second Question: I am receiving a lot of DNS timeout values, yet when I go the run the IP address through NSLookup, it returns the address immediately. The primary address on the server is a Windows 2003 DNS server, secondary addresses are linux DNS servers. What DNS servers is Declude using when doing a DNS lookup? As I recall, there was a way to specify these values in the global.cfg but I was not able to locate any information on this. Anyone have any recommendations or insight into the problem? Thanks for you help in advance, David -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.JunkMail] E-Mail to download v1.8
Really? I don't see it.. I see the manual and automatic downloads for it, and the other links take me other places.. What am I missing? The cfg files, eml templates, and manuals are included in the zipped up version. - Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HiJack
Now that I have HiJack, I found out yesterday when sending a mass email to all my customers that they were held...how do I take myself out of HiJack...just turn it off while I send out messages or is there another way.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack
On 28 Sep 2004 at 11:44, Richard Farris wrote: Hi Richard, You need to whitelist your ip, regretfully there is no way to config by domain - -Nick Now that I have HiJack, I found out yesterday when sending a mass email to all my customers that they were held...how do I take myself out of HiJack...just turn it off while I send out messages or is there another way.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack
In the hijack.cfg file add: # An ALLOWIP line will let an IP address send unlimited E-mail. ALLOWIP x.x.x.x -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Tuesday, September 28, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] HiJack Now that I have HiJack, I found out yesterday when sending a mass email to all my customers that they were held...how do I take myself out of HiJack...just turn it off while I send out messages or is there another way.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] X-Declude-Sender missing IP
With the latest beta I am seeing messages where the X-Declude-Sender is missing the IP address, i.e., [0.0.0.0]. Ones I've seen are from my internal network. Are you using HOP or IPBYPASS? Could you post all the Received: headers for one of these? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack
The current version of HiJack supports 'whitelisting' by sending address in hijack.cfg. ALLOWADDR [EMAIL PROTECTED] - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 11:57 AM Subject: RE: [Declude.JunkMail] HiJack In the hijack.cfg file add: # An ALLOWIP line will let an IP address send unlimited E-mail. ALLOWIP x.x.x.x -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Tuesday, September 28, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] HiJack Now that I have HiJack, I found out yesterday when sending a mass email to all my customers that they were held...how do I take myself out of HiJack...just turn it off while I send out messages or is there another way.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack
Scott - wow. Now when did that occur? I see no reference of this anywhere. Are there any other switches? Thanks -Nick Hayer On 28 Sep 2004 at 14:37, Glenn \ WCNet wrote: The current version of HiJack supports 'whitelisting' by sending address in hijack.cfg. ALLOWADDR [EMAIL PROTECTED] - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 11:57 AM Subject: RE: [Declude.JunkMail] HiJack In the hijack.cfg file add: # An ALLOWIP line will let an IP address send unlimited E-mail. ALLOWIP x.x.x.x -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Tuesday, September 28, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] HiJack Now that I have HiJack, I found out yesterday when sending a mass email to all my customers that they were held...how do I take myself out of HiJack...just turn it off while I send out messages or is there another way.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPF
I was hoping someone could help me with SPF settings. Currently any domain that has an unknown SPF, is not supported or does not exist has -3 (same as SPF pass) applied to the overall total. I found the log file spf.none that has these domains listed. How do I get 0 points applied if a domain is unknown? If a domain doesn't have an SPF recorded I certainly don't want points subtracted. I checked in the declude log file and it is listed as nspfpass -3 but doesn't show up in the email header as does SPFPASS and SPFFAIL. How do I change this behavior? Do I add a nspfpass to the global.cfg? Here are my current settings spfpass spf pass x 0 -3 spffail spf fail x 0 -3 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Version 1.80 Logfile Changes
We installed Declude JunkMail Version 1.80 and immediately observed that the logfile format and behavior have changed. Correct. By design, all the Msg failed... lines were taken out of LOGLEVEL LOW, and moved to LOGLEVEL HIGH. To prevent a loss of important information, a new log file entry appears showing which test(s) the E-mail failed, and which actions were taken. LOG_OK NONE does not seem to be working. Even messages which fail no tests are included in the log files. Details? Are you seeing the Message OK lines? LOGLEVEL HIGH gets all the information that used to be in LOGLEVEL MID and more, but the format of the log lines is slightly different. There's no longer a line with Total Weight =; now it says Test failed [weight=10]: etc. Correct; that was by request. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF
I was hoping someone could help me with SPF settings. Currently any domain that has an unknown SPF, is not supported or does not exist has -3 (same as SPF pass) applied to the overall total. spfpass spf pass x 0 -3 spffail spf fail x 0 -3 With these settings, any E-mail that does not pass and/or does not fail SPF (every E-mail!) will have 3 points subtracted from its weight. I would recommend changing those lines to to: SPFPASS spf passx -3 0 SPFFAIL spf failx 3 0 That will subtract 3 points if the E-mail passes SPF, add 3 points if it fails SPF, and will do nothing if there is an UNKNOWN response (for example, if there is no SPF record). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Version 1.80 Logfile Changes
At 9/28/2004 03:58 PM, you wrote: LOG_OK NONE does not seem to be working. Even messages which fail no tests are included in the log files. Details? Are you seeing the Message OK lines? Typical log entries: 09/28/2004 15:59:07 Qc28b026d0172aa34 L1 Message OK 09/28/2004 15:59:07 Qc28b026d0172aa34 Subject: MTA 09/28/2004 15:59:07 Qc28b026d0172aa34 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.60.213.59 ID: 09/28/2004 15:59:07 Qc28b026d0172aa34 Tests failed [weight=0]: 09/28/2004 15:59:07 Qc28b026d0172aa34 L2 Message OK 09/28/2004 15:59:07 Qc28b026d0172aa34 Subject: MTA 09/28/2004 15:59:07 Qc28b026d0172aa34 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 10.60.213.59 ID: 09/28/2004 15:59:07 Qc28b026d0172aa34 Tests failed [weight=0]: 09/28/2004 15:59:07 Qc28b026d0172aa34 L3 Message OK 09/28/2004 15:59:07 Qc28b026d0172aa34 Subject: MTA 09/28/2004 15:59:07 Qc28b026d0172aa34 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 10.60.213.59 ID: 09/28/2004 15:59:07 Qc28b026d0172aa34 Tests failed [weight=0]: 09/28/2004 15:59:07 Qc28b026d0172aa34 Last action = IGNORE. 13 log lines for a single message with three recipients which failed no tests. and 09/28/2004 15:59:32 Qc2a3027201720804 R1 Message OK 09/28/2004 15:59:32 Qc2a3027201720804 Subject: Re: To serve...or not to serve 09/28/2004 15:59:32 Qc2a3027201720804 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 10.30.102.59 ID: 09/28/2004 15:59:32 Qc2a3027201720804 Tests failed [weight=0]: 09/28/2004 15:59:32 Qc2a3027201720804 Last action = IGNORE. 5 lines for an outgoing message which failed no test -- LOGLEVEL HIGH gets all the information that used to be in LOGLEVEL MID and more, but the format of the log lines is slightly different. There's no longer a line with Total Weight =; now it says Test failed [weight=10]: etc. Correct; that was by request. now I have to rewrite my log parsing routines :-( --Elise --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNS Puzzler
Hi, I have one for you DNS experts out there. We host DNS for a client that runs his own mail server, and we have received delegation from ATT for his IP block. I can see nothing wrong in our setup, yet some places can see the PTR record for his mail server's IP address, and some cannot. I have synchronized the name servers so they have exactly the same info. The online Dig tool at Men and Mice showsthe reverse lookup justfine, nslookup shows it also. But DNSReport.com reports that the server's address has no reverse lookup, as does DNSStuff.com Particulars: mail.crofuttsmith.com, 12.20.208.99 dns.skywaves.net Any ideas appreciated! Thanks as always. -Dave Doherty Skywaves, Inc.
Re: [Declude.JunkMail] HiJack
On 28 Sep 2004 at 16:15, R. Scott Perry wrote: That was added to v1.69, per http://www.declude.com/relnotes.htm . Thanks. It may make a nice addition to the manual as well. :) -Nick -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Bagle W32/Bagle.az@MM
We just started getting hit with this new Bagle.az. Anyone else seeing it? McAfee has defs but Symantec doesnt yet. Just started getting calls within the last hour. Todd Hunter Smart Mail.
[Declude.JunkMail] Declude 1.80 and e-mail notifications
Hi Just upgraded to 1.80, and checked the configuration. Everything seems to be working except that I noticed that I got no notifications of the test Eicar-virus e-mails I sent to myself after upgrading. Just sent Eicarplain base 64 MIME enocoded mails from http://www.declude.com/Articles.asp?ID=99 If I remove SKIPIFFORGING from the recip.eml file I get notifications with 1.80. If I go back to 1.79 I get notifications, also with the SKIPIFFORGING in the recip.eml. Is this an intended change or a bug? Regards, Kaj Laursen HIH --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 1.80 and e-mail notifications
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Thanks for pointing that out -- it should be fixed now. The format used for the forging virus lookups was changed, and we had to also make a change on our end to reflect that (which was just made). No problem. Just checked - it works as expected now. Regards, Kaj --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Bagle W32/Bagle.az@MM
Title: Message Trend calls it something else and claims that it is 13 hours old. We haven't seen any copies yet. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AM Andrew 8) -Original Message-From: Don Hickey [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 1:52 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] New Bagle W32/[EMAIL PROTECTED] Yes we are seeing a lot of them also... Don - Original Message - From: Todd - Smart Mail To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 3:33 PM Subject: [Declude.JunkMail] New Bagle W32/[EMAIL PROTECTED] We just started getting hit with this new Bagle.az. Anyone else seeing it? McAfee has defs but Symantec doesnt yet. Just started getting calls within the last hour. Todd Hunter Smart Mail.
[Declude.JunkMail] SPF Envelope Rewriting
We've implemented SPF for all the domains we do mail hosting for, and have enabled SPF checking on Declude. Only one thing remains, and that is the issue of message envelopes. The big thing that busts SPF is a message forwarding, and the only way around this is to rewrite the envelope. I know IMail has no support for this, and I have my doubts it ever will. I was wondering if there are any plans for this in Declude, which does seem to have some ability to add headers. My only alternative is turn this task over to my Postfix relay server (guarding the IMail server for distributed dictionary attacks), but I'm hoping for something simpler because, well, I'm just plain lazy. -- A. Clausen [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF Envelope Rewriting
We've implemented SPF for all the domains we do mail hosting for, and have enabled SPF checking on Declude. Only one thing remains, and that is the issue of message envelopes. The big thing that busts SPF is a message forwarding, and the only way around this is to rewrite the envelope. This is something that we will be looking into. I can't make any guarantees that we'll be able to do it (it may not be technically possible, or it may be extremely difficult), however. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Puzzler
Hey Scott- So I changed it to 99.96/28IN PTR mail.crofuttsmith.com And now it works. Can you explain why? -Dave - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 4:42 PM Subject: Re: [Declude.JunkMail] DNS Puzzler I have one for you DNS experts out there. We host DNS for a client that runs his own mail server, and we have received delegation from ATT for his IP block. I can see nothing wrong in our setup, yet some places can see the PTR record for his mail server's IP address, and some cannot. I have synchronized the name servers so they have exactly the same info. I can see something wrong: The online Dig tool at Men and Mice shows the reverse lookup just fine, nslookup shows it also. But DNSReport.com reports that the server's address has no reverse lookup, as does DNSStuff.com http://www.dnsstuff.com/tools/ptr.ch?ip=12.20.208.99 shows that ATT is delegating the reverse DNS for 12.20.208.99 to dns.skywaves.net, using the hostname 99.96/28.208.20.12.in-addr.arpa. But dns.skywaves.net doesn't have a PTR record for 99.96/28.208.20.12.in-addr.arpa. The reason I don't like Men and Mice's DIG tool is this -- it displays the results you want to see, not the results that you should see. If you enter 28.208.20.12.in-addr.arpa as the Domain Name, choose PTR, and leave Name Server (BAD option!!!) blank, you'll get the SOA record, indicating that the record doesn't exist. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Version 1.80 Logfile Changes
Yes. My global.cfg (which I sent to you in a separate email) contains the lines LOG_OK NONE LOGLEVEL MID --Elise At 9/28/04 04:48 PM, you wrote: Details? Are you seeing the Message OK lines? Typical log entries: 09/28/2004 15:59:07 Qc28b026d0172aa34 L1 Message OK Is this with LOG_OK NONE? That line should prevent this log file entry from appearing. The others, such as Subject/From/etc. should appear if you are using LOGLEVEL HIGH, though (with or without LOG_OK NONE). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.770 / Virus Database: 517 - Release Date: 9/27/04 Elise Lewis mailto:[EMAIL PROTECTED] --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.770 / Virus Database: 517 - Release Date: 9/27/04
Re: [Declude.JunkMail] DNS Puzzler
http://www.dnsstuff.com/tools/ptr.ch?ip=12.20.208.99 shows that ATT is delegating the reverse DNS for 12.20.208.99 to dns.skywaves.net, using the hostname 99.96/28.208.20.12.in-addr.arpa. But dns.skywaves.net doesn't have a PTR record for 99.96/28.208.20.12.in-addr.arpa. So I changed it to 99.96/28IN PTR mail.crofuttsmith.com And now it works. Can you explain why? Because the zone is 208.20.12.in-addr.arpa, the 99.96/28 that you added expands to 99.96/28.208.20.12.in-addr.arpa -- so you now have a PTR record for 99.96/28.208.20.12.in-addr.arpa -- which is what you needed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Puzzler
Ok, thanks. -d - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 7:26 PM Subject: Re: [Declude.JunkMail] DNS Puzzler http://www.dnsstuff.com/tools/ptr.ch?ip=12.20.208.99 shows that ATT is delegating the reverse DNS for 12.20.208.99 to dns.skywaves.net, using the hostname 99.96/28.208.20.12.in-addr.arpa. But dns.skywaves.net doesn't have a PTR record for 99.96/28.208.20.12.in-addr.arpa. So I changed it to 99.96/28IN PTR mail.crofuttsmith.com And now it works. Can you explain why? Because the zone is 208.20.12.in-addr.arpa, the 99.96/28 that you added expands to 99.96/28.208.20.12.in-addr.arpa -- so you now have a PTR record for 99.96/28.208.20.12.in-addr.arpa -- which is what you needed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] suggestions on handling a problem
I have a alias on my Imail server running declude 1.80 junkmail pro. That alias [EMAIL PROTECTED] forwards to another box running my lyris mail list software. To prevent people from being bounced due to spam filtering, I have a whitelist domain for the actual lyris box ie [EMAIL PROTECTED] is an alias for [EMAIL PROTECTED] Spam sent to the xyz mailing list would be rejected, since the return addresses were not valid subscribers ... unfortunately, a lot of the spam now not only includes the [EMAIL PROTECTED] but my [EMAIL PROTECTED] ... and due to the whitelist on the lyris box, it seems to be getting through whitelisted to me. Is there anyway I can continue to whitelist the lyrisbox.stat.com EXCEPT for the [EMAIL PROTECTED] email address? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] suggestions on handling a problem
Set up your IMail/Declude server as a gateway for the Lyris box so that all E-mail sent to it is spam blocked prior to being delivered by Lyris and then whitelist the IP of the Lyris box. You can then also blacklist anything that has the Lyris domain name since the whitelist IP overrides the blacklist and this would pick up the forging. You would configure your IMail server for gatewaying the domain following the store and forward directions, and change the MX records for the Lyris domain so that they were received by the IMail box first. You might want to change the IP of the Lyris box just in case there are spammers caching the IP (some do and they don't seem to expire old lists for months if not years and you want to stop the direct delivery). There are possibly other and better solutions, but this is the first thing that comes to mind and generally seems appropriate for what you described. Matt David Dodell wrote: I have a alias on my Imail server running declude 1.80 junkmail pro. That alias [EMAIL PROTECTED] forwards to another box running my lyris mail list software. To prevent people from being bounced due to spam filtering, I have a whitelist domain for the actual lyris box ie [EMAIL PROTECTED] is an alias for [EMAIL PROTECTED] Spam sent to the xyz mailing list would be rejected, since the return addresses were not valid subscribers ... unfortunately, a lot of the spam now not only includes the [EMAIL PROTECTED] but my [EMAIL PROTECTED] ... and due to the whitelist on the lyris box, it seems to be getting through whitelisted to me. Is there anyway I can continue to whitelist the lyrisbox.stat.com EXCEPT for the [EMAIL PROTECTED] email address? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Disable Declude Updater
Everyone running Declude Updater as a scheduled task, can disable it as new versions are not more published on www.declude.com/version.txt and it looks like future releases wouldn't be available as simple .exe file. regards Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.